hi,
I'm receiving a lot of phishing email with the following domain:
111212c.com
In particular go to the address:
hxxx://www.111212c.com/CartaSi
this is the fake site of CartaSi credit card:
https://titolari.cartasi.it/portal/server.pt
The list of all phish email is: resolves to:
2008/07/06 14:00 hxxx://www.111212c.com/CartaSi 89.163.148.89
2008/07/07 00:00 hxxx://www.111212c.com/CartaSi 89.163.148.89
2008/07/08 14:00 hxxx://www.111212c.com/CartaSi 89.163.148.89
2008/07/08 00:00 hxxx://www.111212c.com/CartaSi 89.163.148.89
2008/07/26 14:00 hxxx://www.111212c.com/CartaSi 89.163.148.89
2008/08/30 00:00 hxxx://www.111212c.com/CartaSi 89.163.148.89
2008/08/31 14:00 hxxx://www.111212c.com/CartaSi 89.163.148.89
all are archived if asked.
The tracking link of the last is:
http://www.spamcop.net/sc?id=z2203453250z8...2cfa447909520az
The domain '111212c.com' resolves to IP: 89.163.148.89
The name servers are:
ns1.netsons.com [85.14.217.237]
ns2.netsons.com [85.14.218.87]
ns3.netsons.com [85.14.217.237]
ns4.netsons.com [85.14.218.87]
The IP:89.163.148.89 is the same of old already suspended phished domain:
2008/08/02 00:00 hxxx://www.101001cs.com/CartaSi 89.163.148.89
2008/08/04 00:00 hxxx://www.101001cs.com/CartaSi/liberamente/ 89.163.148.89
2008/08/04 14:00 hxxx://www.101001cs.com/liberamente/ 89.163.148.89
2008/08/06 14:00 hxxx://www.101001cs.com/CartaSi 89.163.148.89
The problem from the whois report is that the domain:
111212c.com
to me seem registered from Registrar:
Wild West Domains, Inc.
to
SUPERNOVA S.R.L.
Via Marconi 29
Pescara, Pescara 65100
http://www.netsons.org/
that in turns, it registrar to a person:
Franco Analoa
via salerno 10
Roma, RM 00100
Apart that those maybe fake data, because there is no Via Marconi in Pescara, and there is no Via Salerno 10 in Rome,
Spamcop parsing system report that domain is registered to 'unitedcolo.de':
http://www.spamcop.net/sc?action=showcmd;c...0whois.ripe.net
and the abuse email 'abuse[at]unitedcolo.de' is bouncing.
Making a reverse lookup from IP: 89.163.148.89
really carry to unitedcolo.de ?!
How they managed to obtain this difference in direct and reverse lookup of NS ?
Whois record is errata?
Is this confusing Spamcop web based parse reporting?
[on edit] While these and other matters are pondered Live links pulled. This is a known EXPLOIT site, why would you post links to it?
Full Version: whois incorrect
I am seeing (my emphasis):
C:\Documents and Settings\Steve>nslookup 111212c.com
...
Non-authoritative answer:
Name: 111212c.com
Address: 89.163.148.89
C:\Documents and Settings\Steve>whosip -r 89.163.148.89
WHOIS Source: RIPE NCC
IP Address: 89.163.148.89
Country: Germany
Network Name: DE-UNITED-COLO-20060217
Owner Name: UNITED COLO GmbH
From IP: 89.163.128.0
To IP: 89.163.255.255
Allocated: Yes
Contact Name: Hostmaster unitedcolo.de
Address: UNITED COLO GmbH, Sonntagsanger 1, 96450 Coburg, Germany
Email: noc[at]unitedcolo.de
Abuse Email: abuse[at]unitedcolo.de
Phone: +49-9561-871145
Fax: +49-9561-871146
WHOIS Record:
% This is the RIPE Whois query server #1.
% The objects are in RPSL format.
%
% Rights restricted by copyright.
% See http://www.ripe.net/db/copyright.html
% Information related to '89.163.128.0 - 89.163.255.255'
inetnum: 89.163.128.0 - 89.163.255.255
org: ORG-EGC1-RIPE
netname: DE-UNITED-COLO-20060217
descr: UNITED COLO GmbH
country: DE
admin-c: UCHM-RIPE
tech-c: UCHM-RIPE
status: ALLOCATED PA
remarks: * Please submit abuse only on *
remarks: * http://www.unitedcolo.de/abuse/ *
notify: lir[at]unitedcolo.de
mnt-by: RIPE-NCC-HM-MNT
mnt-lower: MNT-UNITEDCOLO
mnt-routes: MNT-UNITEDCOLO
changed: hostmaster[at]ripe.net 20060217
changed: bitbucket[at]ripe.net 20070729
changed: bitbucket[at]ripe.net 20070729
source: RIPE
organisation: ORG-EGC1-RIPE
org-name: UNITED COLO GmbH
org-type: LIR
address: Sonntagsanger 1
address: 96450
address: Coburg
address: Germany
phone: +499561871145
fax-no: +499561871146
e-mail: lir[at]unitedcolo.de
admin-c: ON99-RIPE
admin-c: VK1406-RIPE
mnt-ref: RIPE-NCC-HM-MNT
mnt-ref: MNT-UNITEDCOLO
notify: lir[at]unitedcolo.de
mnt-by: RIPE-NCC-HM-MNT
changed: hostmaster[at]ripe.net 20040415
changed: bitbucket[at]ripe.net 20041029
changed: bitbucket[at]ripe.net 20041104
changed: hostmaster[at]ripe.net 20041104
changed: bitbucket[at]ripe.net 20041105
changed: bitbucket[at]ripe.net 20041108
changed: bitbucket[at]ripe.net 20050102
changed: bitbucket[at]ripe.net 20050106
changed: bitbucket[at]ripe.net 20050204
changed: bitbucket[at]ripe.net 20050204
changed: bitbucket[at]ripe.net 20050208
changed: bitbucket[at]ripe.net 20050314
changed: bitbucket[at]ripe.net 20050314
changed: bitbucket[at]ripe.net 20050411
changed: bitbucket[at]ripe.net 20050411
changed: bitbucket[at]ripe.net 20050412
changed: bitbucket[at]ripe.net 20050412
changed: bitbucket[at]ripe.net 20050412
changed: bitbucket[at]ripe.net 20050413
changed: bitbucket[at]ripe.net 20050414
changed: bitbucket[at]ripe.net 20050414
changed: bitbucket[at]ripe.net 20050528
changed: bitbucket[at]ripe.net 20050613
changed: bitbucket[at]ripe.net 20050617
changed: bitbucket[at]ripe.net 20050718
changed: bitbucket[at]ripe.net 20050722
changed: bitbucket[at]ripe.net 20050928
changed: bitbucket[at]ripe.net 20060110
changed: bitbucket[at]ripe.net 20060215
changed: bitbucket[at]ripe.net 20060215
changed: bitbucket[at]ripe.net 20060215
changed: bitbucket[at]ripe.net 20060215
changed: bitbucket[at]ripe.net 20060216
changed: bitbucket[at]ripe.net 20060217
changed: bitbucket[at]ripe.net 20070330
changed: bitbucket[at]ripe.net 20070729
changed: bitbucket[at]ripe.net 20070729
changed: bitbucket[at]ripe.net 20070729
changed: bitbucket[at]ripe.net 20070729
changed: bitbucket[at]ripe.net 20070813
changed: bitbucket[at]ripe.net 20070813
source: RIPE
role: Hostmaster unitedcolo.de
address: UNITED COLO GmbH
address: Sonntagsanger 1
address: 96450 Coburg
address: Germany
phone: +49-9561-871145
fax-no: +49-9561-871146
e-mail: noc[at]unitedcolo.de
admin-c: ON99-RIPE
tech-c: ON99-RIPE
tech-c: VK1406-RIPE
nic-hdl: UCHM-RIPE
notify: lir[at]unitedcolo.de
remarks: ***********************************
remarks: * *
remarks: * Mail all Abuse to *
remarks: * *
remarks: * abuse[at]unitedcolo.de *
remarks: * *
remarks: ***********************************
mnt-by: MNT-UNITEDCOLO-MNT
changed: lir[at]unitedcolo.de 20041104
changed: lir[at]unitedcolo.de 20041105
changed: lir[at]unitedcolo.de 20050312
changed: lir[at]unitedcolo.de 20050422
changed: lir[at]unitedcolo.de 20050718
changed: lir[at]unitedcolo.de 20060225
changed: lir[at]unitedcolo.de 20070729
source:
C:\Documents and Settings\Steve>
So yes, some bad records if abuse[at]unitedcolo.de is consistently bouncing but the webpage might do for individual/manual reports. If you can find a better email abuse address the deputies will want to know.
C:\Documents and Settings\Steve>nslookup 111212c.com
...
Non-authoritative answer:
Name: 111212c.com
Address: 89.163.148.89
C:\Documents and Settings\Steve>whosip -r 89.163.148.89
WHOIS Source: RIPE NCC
IP Address: 89.163.148.89
Country: Germany
Network Name: DE-UNITED-COLO-20060217
Owner Name: UNITED COLO GmbH
From IP: 89.163.128.0
To IP: 89.163.255.255
Allocated: Yes
Contact Name: Hostmaster unitedcolo.de
Address: UNITED COLO GmbH, Sonntagsanger 1, 96450 Coburg, Germany
Email: noc[at]unitedcolo.de
Abuse Email: abuse[at]unitedcolo.de
Phone: +49-9561-871145
Fax: +49-9561-871146
WHOIS Record:
% This is the RIPE Whois query server #1.
% The objects are in RPSL format.
%
% Rights restricted by copyright.
% See http://www.ripe.net/db/copyright.html
% Information related to '89.163.128.0 - 89.163.255.255'
inetnum: 89.163.128.0 - 89.163.255.255
org: ORG-EGC1-RIPE
netname: DE-UNITED-COLO-20060217
descr: UNITED COLO GmbH
country: DE
admin-c: UCHM-RIPE
tech-c: UCHM-RIPE
status: ALLOCATED PA
remarks: * Please submit abuse only on *
remarks: * http://www.unitedcolo.de/abuse/ *
notify: lir[at]unitedcolo.de
mnt-by: RIPE-NCC-HM-MNT
mnt-lower: MNT-UNITEDCOLO
mnt-routes: MNT-UNITEDCOLO
changed: hostmaster[at]ripe.net 20060217
changed: bitbucket[at]ripe.net 20070729
changed: bitbucket[at]ripe.net 20070729
source: RIPE
organisation: ORG-EGC1-RIPE
org-name: UNITED COLO GmbH
org-type: LIR
address: Sonntagsanger 1
address: 96450
address: Coburg
address: Germany
phone: +499561871145
fax-no: +499561871146
e-mail: lir[at]unitedcolo.de
admin-c: ON99-RIPE
admin-c: VK1406-RIPE
mnt-ref: RIPE-NCC-HM-MNT
mnt-ref: MNT-UNITEDCOLO
notify: lir[at]unitedcolo.de
mnt-by: RIPE-NCC-HM-MNT
changed: hostmaster[at]ripe.net 20040415
changed: bitbucket[at]ripe.net 20041029
changed: bitbucket[at]ripe.net 20041104
changed: hostmaster[at]ripe.net 20041104
changed: bitbucket[at]ripe.net 20041105
changed: bitbucket[at]ripe.net 20041108
changed: bitbucket[at]ripe.net 20050102
changed: bitbucket[at]ripe.net 20050106
changed: bitbucket[at]ripe.net 20050204
changed: bitbucket[at]ripe.net 20050204
changed: bitbucket[at]ripe.net 20050208
changed: bitbucket[at]ripe.net 20050314
changed: bitbucket[at]ripe.net 20050314
changed: bitbucket[at]ripe.net 20050411
changed: bitbucket[at]ripe.net 20050411
changed: bitbucket[at]ripe.net 20050412
changed: bitbucket[at]ripe.net 20050412
changed: bitbucket[at]ripe.net 20050412
changed: bitbucket[at]ripe.net 20050413
changed: bitbucket[at]ripe.net 20050414
changed: bitbucket[at]ripe.net 20050414
changed: bitbucket[at]ripe.net 20050528
changed: bitbucket[at]ripe.net 20050613
changed: bitbucket[at]ripe.net 20050617
changed: bitbucket[at]ripe.net 20050718
changed: bitbucket[at]ripe.net 20050722
changed: bitbucket[at]ripe.net 20050928
changed: bitbucket[at]ripe.net 20060110
changed: bitbucket[at]ripe.net 20060215
changed: bitbucket[at]ripe.net 20060215
changed: bitbucket[at]ripe.net 20060215
changed: bitbucket[at]ripe.net 20060215
changed: bitbucket[at]ripe.net 20060216
changed: bitbucket[at]ripe.net 20060217
changed: bitbucket[at]ripe.net 20070330
changed: bitbucket[at]ripe.net 20070729
changed: bitbucket[at]ripe.net 20070729
changed: bitbucket[at]ripe.net 20070729
changed: bitbucket[at]ripe.net 20070729
changed: bitbucket[at]ripe.net 20070813
changed: bitbucket[at]ripe.net 20070813
source: RIPE
role: Hostmaster unitedcolo.de
address: UNITED COLO GmbH
address: Sonntagsanger 1
address: 96450 Coburg
address: Germany
phone: +49-9561-871145
fax-no: +49-9561-871146
e-mail: noc[at]unitedcolo.de
admin-c: ON99-RIPE
tech-c: ON99-RIPE
tech-c: VK1406-RIPE
nic-hdl: UCHM-RIPE
notify: lir[at]unitedcolo.de
remarks: ***********************************
remarks: * *
remarks: * Mail all Abuse to *
remarks: * *
remarks: * abuse[at]unitedcolo.de *
remarks: * *
remarks: ***********************************
mnt-by: MNT-UNITEDCOLO-MNT
changed: lir[at]unitedcolo.de 20041104
changed: lir[at]unitedcolo.de 20041105
changed: lir[at]unitedcolo.de 20050312
changed: lir[at]unitedcolo.de 20050422
changed: lir[at]unitedcolo.de 20050718
changed: lir[at]unitedcolo.de 20060225
changed: lir[at]unitedcolo.de 20070729
source:
C:\Documents and Settings\Steve>
So yes, some bad records if abuse[at]unitedcolo.de is consistently bouncing but the webpage might do for individual/manual reports. If you can find a better email abuse address the deputies will want to know.
QUOTE(Farelf @ Aug 31 2008, 06:15 AM) 
but the webpage might do for individual/manual reports. If you can find a better email abuse address the deputies will want to know.
I have already tried the webpage one month ago with no luck.
The phish web site is up again.
What I'm not understand is:
making a whois on ''111212c.com", I got no reference to unitedcolo,de
but to SUPERNOVA S.R.L. and Wild West Domains, Inc.
Why I shouldn't write to that contact?
Spamcop, recover IP address and then do a reverse lookup to get abuse contact.
Is that the right procedure?
QUOTE(efa @ Aug 31 2008, 10:17 PM)
I have already tried the webpage one month ago with no luck.
The phish web site is up again.
What I'm not understand is:
making a whois on ''111212c.com", I got no reference to unitedcolo,de
but to SUPERNOVA S.R.L. and Wild West Domains, Inc.
Why I shouldn't write to that contact?
Spamcop, recover IP address and then do a reverse lookup to get abuse contact.
Is that the right procedure?
SC goes to the host of the domain's webpages - in the same way it (SC) goes to the ISP/network for the sender of the message. There is nothing wrong with going instead to the Registrar of the domain - in fact the 'payload' domain is arguably the greatest vulnerability of the spammer. IIUC that his how Complainterator works - it is mentioned many times in these pages.The phish web site is up again.
What I'm not understand is:
making a whois on ''111212c.com", I got no reference to unitedcolo,de
but to SUPERNOVA S.R.L. and Wild West Domains, Inc.
Why I shouldn't write to that contact?
Spamcop, recover IP address and then do a reverse lookup to get abuse contact.
Is that the right procedure?
If you to Domain Dossier (Note it says "Investigate domains and IP addresses") you can see both kinds of record - domain and internet. Just enter 111212c.com and check 3 boxes - domain whois record, DNS records and network whois record. Then you get the complete picture which may make things more clear.
If the host will not stop the activity, by all means try the Registrar. Or the owners of the nameservers. Or both. That is not the way SpamCop works but sometimes it is the best way.
QUOTE(Farelf @ Aug 31 2008, 09:56 AM)
ok thanks,
before this times I never noticed the detailed approach of Spamcop parser in analyzing links.
I understand that probably the better is to use both method toghether, the Spamcop and Complainterator manner.
I know well how Complainterator work:
http://www.castlecops.com/p1107921-Complai...ux.html#1107921
QUOTE(Farelf @ Aug 31 2008, 06:15 AM)
C:\Documents and Settings\Steve>whosip -r 89.163.148.89
WHOIS Source: RIPE NCC
IP Address: 89.163.148.89
WHOIS Source: RIPE NCC
IP Address: 89.163.148.89
where you found the command 'whosip' on Windows?
QUOTE(efa @ Sep 1 2008, 01:09 AM)
where you found the command 'whosip' on Windows?
See http://www.nirsoft.net/utils/whosip.html
QUOTE(Farelf @ Aug 31 2008, 05:23 PM)
ok thanks.
But this is only freeware, I prefer opensource software when available.
For 'xComplaint' when run on Win32 I use the package 'dig' from:
http://members.shaw.ca/nicholas.fong/dig/
as isn't included in Cygwin.
This package contain dig and whois, the standard GNU/GPL Domain Name System and Whois client that you can found on every Linux distro.
So the same complete options are available and you can contribute enhancing the software for the community starting from the source.
QUOTE(efa @ Sep 3 2008, 06:12 AM)
...I prefer opensource software.
For 'xComplaint' when run on Win32 I use the package 'dig' from:
http://members.shaw.ca/nicholas.fong/dig/
as isn't included in Cygwin.
OK, that is a good policy to have - thanks.For 'xComplaint' when run on Win32 I use the package 'dig' from:
http://members.shaw.ca/nicholas.fong/dig/
as isn't included in Cygwin.
QUOTE(efa @ Sep 2 2008, 05:12 PM)
But this is only freeware, I prefer opensource software when available.
For 'xComplaint' when run on Win32 I use the package 'dig' from:
http://members.shaw.ca/nicholas.fong/dig/
as isn't included in Cygwin.
This package contain dig and whois, the standard GNU/GPL Domain Name System and Whois client that you can found on every Linux distro.
So the same complete options are available and you can contribute enhancing the software for the community starting from the source.
For 'xComplaint' when run on Win32 I use the package 'dig' from:
http://members.shaw.ca/nicholas.fong/dig/
as isn't included in Cygwin.
This package contain dig and whois, the standard GNU/GPL Domain Name System and Whois client that you can found on every Linux distro.
So the same complete options are available and you can contribute enhancing the software for the community starting from the source.
Fodder for the Suggested Tools Forum section.
QUOTE(Wazoo @ Sep 3 2008, 07:20 AM)
Fodder for the Suggested Tools Forum section.
Added - http://forum.spamcop.net/forums/index.php?showtopic=9715 - efa, I think that is self explanatory but please feel free to add to the explanation 'over there' if you wish.
This is a "lo-fi" version of our main content. To view the full version with more information, formatting and images, please click here.